Center for Software Testing Education & Research

Exploiting Canvas Size Options in Paint

Summary

Paint uses a canvas, a resizeable area that holds the work that will be saved into a picture. When entering the size of the canvas, if the user enters a negative number, Paint interprets the number incorrectly and creates an extremely large canvas.

Application Description

Microsoft Paint is a basic drawing and picture editing program provided with the Windows operating system. Microsoft describes Paint as "a drawing tool you can use to create black-and-white or color drawings that you can save as bitmap (.bmp) files. You can also use Paint to send your drawing in an E-mail, set the image as a Desktop background, and save image files using different file formats."

Test Design

The bug in this presentation was inspired by Domain testing. In Domain testing, we are evaluating a function's acceptance of input by choosing representative data to enter into the data fields.

In Paint, the user creates their "art" on a canvas, a resizeable drawing area. The user is able to edit the width and height of the canvas area, and define its region in terms of inches, centimeters, or - the default - pixels. Here is the options box for editing the canvas size:

Into the Width and Height boxes, the user can enter up to 5 numbers. We can assume, then, that the standard input range is therefore 1-99999. A area consisting of a height or width of 0 or a negative number would be invalid. Any number larger than 99999, though certainly a 'valid' number for an area, is unable to be entered, and therefore invalid.

In Domain testing, one of the facts that we want to keep in the forefront of our minds is that computers have 'magic numbers': certain numbers, either inside or outside the standard range, that can cause issues in the coding. For example, 127 and 65,535 are numbers that lie right on the range of how large computer shorts and integers can be, and therefore can often cause problems that seem to appear out of nowhere.

Similarly, some computer numbers don't have a sign (meaning they are considered exclusively positive). In cases with unsigned numbers, we can run into an interesting error, and it is this error that we are looking for in this presentation. If we have a variable that takes an input of numbers from 0 to 127, and that variable is an unsigned variable (no positive/negative sign noted), then what happens when we enter "-1"? Interestingly enough, entering a negative number would simply give you that number added to the greatest value of the variable. For example, if we entered -1, we would get 126, -2 would get us 125, -3 would get us 124, and et cetera.

Now, we expect that a negative number will either be disallowed, or that the negative sign will be ignored and the number will be input as if it were entered as a positive integer. However, this requires error-checking code, code that is notoriously neglected due to time constraints, so every once and a while, we stumble across a bug of this type.

Performing the Test

1. Open Microsoft Paint.
2. To make sure that we are all in the same place, press Ctrl-N to start a new project:
   

   

3. Now, press Ctrl-E or Image->Attributes to open the canvas attribute properties:
   

   

4. Just to see what our limits are, try entering as many numbers as you can into the width box. You'll find that 5 numbers is the limit.
5. To explore this a little further, change the Units to 'Inches' and then enter '99999' into the width. Then change the units back to 'Pixels'. Now we see more than 5 numbers in the box. We can assume that this is the largest number that we could possibly make the canvas:

   

6. Enter '-1' into the width box.
7. Enter '5' into the heigth box.
8. Press 'OK' to return to Paint:
   

   

   Notice the scroll bar along the bottom: the canvas is massive.

9. Press Ctrl-E to return to the canvas attributes box:
   

   

Results/Relevance

Paint accepted -1 as a valid input, and returned a canvas that actually was 4,294,966 pixels. In fact, we can enter just about any negative number and it will be accepted (up to -9,999 since we can only enter up to 5 characters). When we went through converting the largest amount of inches into pixels, the number we recieved was 4,294,967, which is exactly 1 less than what we came up with when we entered -1. That means that this is an error with unsigned variables. Negative numbers are being added to the greatest possible unsiged value and returning an answer.

This is not a serious bug, as by setting the canvas to inches, we could make a canvas that was 4,294,967 pixels, so it is not giving us a value that is over what we know the program can handle. In fact, this may not even be a bug: it may have been a way for the programmers to save timewhen testing the program by entering -1 instead of switching to inches and typing 99998. Of course, we can not enter 0 (as we are told that the image must be at least 1 pixel), so we should expect the program is not going to allow us to enter input that would theoretically make an image that is 'smaller' than 0 pixels.

The largest danger is that, in creating an image that is -1 width by -1 height, a user might overload the computer's memory and processor. The user will then see errors like this:

Similarly, the computer may become so busy that normal operating system functions may have trouble. For example, the system may become so busy that while opening the Windows Task Manager (alt-ctrl-del) to end Paint, the standard tabs may not appear:

Normal Windows Task Manager window	Windows Task Manager missing tabs due to Paint over-utilizing resources

We can also see in the Windows Task Manager where the tabs are missing that the CPU usage is ~0%. This is because it is calculating how much CPU load is being requested by the user, however the CPU is being utilized intensively by the operating system, which is not reported in Task Manager.

What we found through Domain testing was some input that was invalidly allowed and interpreted. In this case, it did not cause much damage (except for perhaps slowing the computer down for some time), but in other programs users might not be so lucky. Entering incorrect values might overflow the stack, cause vital program information to be overwritten. This is one of the biggest problems in software engineering that Domain testing can help us find.

Similar Tests/Additional Notes

Many of the internal Windows applications, such as Paint, have not recieved much coding attention since their original creation. For this reason, basic tests such as this one may locate some fun and interesting bugs. Try some other testing techniques, such as function testing or combination testing, on the standard Windows applications like Notepad, Paint, and Solitaire.

Configuration Notes

Testing Microsoft's Paint v5.1 on:

• a Dell Optiplex GX240, with
• Microsoft WindowsXP, SP2rc2
• 256 MB SDRAM
• ATI Rage 128 Pro Ultra
• Intel Pentium IV processor, 1.69 GHz

Created 29 July 2004 for the CSTER

Updated 23 August 2005

All images and written material ©Copyright Sam Oswald 2004

This work is licensed under the Creative Commons Attribution-ShareAlike License.
To view a copy of this license, visit
http://creativecommons.org/licenses/by-sa/2.0/
or send a letter to
Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305,
USA.